CVE-2005-4709

Name of the Vulnerable Software and Affected Versions JBoss Enterprise Java Beans (EJB) 3.0 RC3

Description The issue arises from the popSubjectContext method in the SecurityAssociation class, which fails to properly reset the threadPrincipal and threadCredential values after a client session terminates. This allows remote attackers to potentially gain the roles of an arbitrary previous client who had the same JBoss server thread.

Recommendations For JBoss Enterprise Java Beans (EJB) 3.0 RC3, consider implementing a workaround to reset the threadPrincipal and threadCredential values after each client session termination to prevent unauthorized access. However, at the moment, there is no information about a newer version that contains a fix for this vulnerability.